A huge collection of 3400+ free website templates JAR theme com WP themes and more at the biggest community-driven free web design site
Home / security-advisories / High severity vulnerabilities affecting WordPress (CVE-2024-5943, CVE-2024-2385, CVE-2024-6319, CVE-2024-6318)

High severity vulnerabilities affecting WordPress (CVE-2024-5943, CVE-2024-2385, CVE-2024-6319, CVE-2024-6318)

Advisory No: TZCERT/SA/2024/07/04-1

Date of First Release: 4th July 2024

Source: Wordfence

Software Affected: wp-nested-pages, addons-for-elementor and IMGspider

Overview:

WordPress is vulnerable to four critical vulnerabilities. The attackers can leverage the vulnerabilities to take control of the affected system.

Description:

Three WordPress plugins namely wp-nested-pages, addons-for-elementor and IMGspider as affected by the vulnerabilities tracked as CVE-2024-5943, CVE-2024-2385, CVE-2024-6319, and CVE-2024-6318 respectively. Reasons for the flaws include missing or incorrect nonce validation on the ‘settingsPage’ function and missing santization of the ‘tab’ parameter, plugin’s widgets through the ‘style’ attribute, and missing file type validation in the ‘upload’ and ‘upload_img_file’ functions in all versions up to, and including, 2.3.10. The attackers can exploit the vulnerabilities to execute remote arbitrary codes on affected system.

Impact:

Successful exploitation of these vulnerabilities may allow an attacker to take control of affected system

Solution:

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

  1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-nested-pages/nested-pages-327-cross-site-request-forgery-to-local-file-inclusion
  2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/addons-for-elementor/elementor-addons-by-livemesh-837-authenticated-contributor-limited-local-file-inclusion-via-widgets
  3. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/imgspider/imgspider-2310-authenticated-contributor-arbitrary-file-upload-via-upload
  4. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/imgspider/imgspider-2310-authenticated-contributor-arbitrary-file-upload-via-upload-img-file

Check Also

Remote Code Execution Vulnerabilities in SolarWinds Access Rights Manager (ARM) (CVE-2024-23469, CVE-2024-23467, CVE-2024-23471)

Advisory No: TZCERT/SA/2024/07/19-3 Date of First Release: 19th July 2024 Source: SolarWinds Software Affected: SolarWinds …